The Wall Street Journal reports that lawmakers (Sen. Jay Rockefeller of West Virginia, Sen. Robert Menendez of New Jersey, Sen. Sheldon Whitehouse of Rhode Island, Sen. Mark Warner of Virginia and Sen. Richard Blumenthal of Connecticut) asked the SEC in a letter to
. . . issue guidance stating that companies must report when they have suffered a major network attack and disclose details on intellectual property or trade secrets that hackers may have stolen.
The SEC guidance should also clarify that existing corporate-risk disclosure requirements compel companies to disclose if they are vulnerable to cyberattacks, the five lawmakers, all Senate Democrats, said.
“In light of the growing threat and the national security and economic ramifications of successful attacks against American businesses, it is essential that corporate leaders know their responsibility for managing and disclosing information security risk,” the lawmakers wrote to SEC Chairman Mary Schapiro.
There’s an argument that the reporting is already required under SOX. It would be good for companies to have guidance on this so that obligations are clear. Currently, some companies disclose and others do not. There isn’t consistency. It’s not really fair to the shareholders and it doesn’t create an incentive to report. Generally, I think mandatory reporting of incidents is over done. The population is numb from constantly getting letters and they have no idea what to do once they receive a letter. I’d prefer to have mandatory notification to regulators and then a joint agreement reached on whether to notify customers. This would still result in an incentive to increase privacy and security compliance, but would not result in the numbing out of the average consumer from multiple breach notifications. Breach notifications should be reserved to when the consumers needs to know so as to exercise their rights and/or to take action to protect themselves.